PicoCTF: heap 0

Challenge Name: Heap 0

Category: Binary Exploitation

Difficulty: Easy

Description: Walkthrough and learning

Challenge: Sweet talk the heap program into giving us the flag

First, we start the program. This program happens to be run using netcat (nc) and is running on port 59817.

Here is the supplied source code which seems interesting.

Studying the source code, I try to make sense of what is going on. The safe variable is "bico". If bico does not equal zero, I win and it will print the flag. Like everything, its not designed to let you win. At least it is not intended (generally). So I want it to behave incorrectly.

The program gives you 5 options:

1. Print heap

2. Write to buffer

3. Print safe_var

4. Print flag

5. Exit

My first idea is that since I can apparently input something using option 2, maybe I can overwhelm it with an integer buffer overflow to get it to perform what I want (to print the flag). Judging by the way code appears, it's goal is to ensure that no matter what input is given, the safe variable "bico" does not equal anything but 0. While it seems like the author wants you to focus on the safe_var "bico", I find that it leads to a dead-end (where it was intended). I gravitate more to the defined:

FLAGSIZE_MAX 64

// amount of memory allocated for input_data

What happens if I input an integer with 65 digits? How would I do this? I do this by invoking python. First, I specify the character by placing it between single quotation marks and then using the asterisk (*) to multiply by a specified number (65 in this case)

'1'*65 = 65 digits of 1 which I will copy and bring to the heap program

First I specify the number of the command I am performing of the 5 options. I choose option 2 because I am adding data and then I paste the 65 ones that I copied from the python function.

Next I want to see if anything that's not supposed to be displayed is displayed when I print the heap. You can see the 1's that were added to the heap.

Remember that if the safe variable "bico" equaled zero, it would print "No flage for you :(". If it did not equal zero, it would print the flag.

Submit flag!

______________________________

Digging Deeper

Because the max character input size it allowed is 64 characters, that is why I chose to go with 65. However, after some followup testing, the buffer overflow problems begin at 32 digits. Lets get a better view of what is going on at 32+ digits.

At 32 digits, you get the following results. There is not a variable even listed in the "bico" spot.

When you run this again, only this time using 31 digits, you get the following results. As you can see, "bico" is listed in its appropriate spot.

Summary:

Based on my observations, at 32 digits, the safe variable "bico" is being overwritten and is thus no longer equal to 0. Below 32 digits, "bico" stands firm at 0.

Thanks for reading!